GRC issues management

Issues can be created manually to document audit observations, remediations, or to accept any problems. They are automatically generated from indicator results, attestation results, or control test effectiveness.

An issue is created automatically when:
  • Issue - An indicator fails
  • Control issue - A control attestation is completed indicating that the control is Not implemented
  • Control test issue - A control test is closed complete with the control effectiveness set to Ineffective
  • Other issue - is created by the user manually

Remediating an issue marks an intention to fix the underlying issue causing the control failure or risk exposure. Accepting an issue marks an intention to create an exception for a known control failure or risk. Controls that are Accepted remain in a non-compliant state until the control is reassessed. In this way, the issue can be used to document observations during audits.